Irish Circuit Court finds Courts Service breached data protection law

This week the Irish Circuit Court upheld a decision of the Data Protection Commissioner which found that the Courts Service breached the Data Protection Acts when it inadvertently uploaded a copy of a judgment naming a party whose identity was protected by Court Order.

In reaching this conclusion the Court considered the Wirtschaftsakademie and Jehovan todistajat decisions of the CJEU and found that the Courts Service was a data controller. The decision dismissed the idea that the original judge was the sole data controller but left open the possibility that in certain circumstances the judiciary and the Courts Service could be joint controllers.

You can read a copy of the judgment below or download it here.

Approved-judgment-3.2.2020

FP Logue acted for the data subject in this case.

FP Logue – 2019 Highlights

Image: Public domain

As we look at closing the door on 2019 for a well-earned break I thought it would be good to reflect on some of the highlights of the year.

  1. Fred Logue featured in the TG4 documentary, Uchtú, helping broadcaster Evanne Ní Chuilinn access information about her adoption and early life
  2. We highlighted issues with widespread police access to personal data and the responsibilities of data controllers when approached by the police
  3. Throughout the year we reminded everyone that data protection is not necessarily about privacy.
  4. In May we succeeded in ensuring that a social welfare claimant got their benefit without having to register for the Public Services Card.
  5. Finally you can read about the many ground breaking cases that we were involved in and about the coverage of our work in the media

Looking forward to more of the same in 2020!

Government fined more than €5 million by European Court for decade-long environmental law breach

Ireland was sanctioned by the Court of Justice of the European Union because of a failure to carry out an environmental impact assessment of a wind farm development in Derrybrien, Co Galway. Ireland was ordered to conduct an assessment by the court in 2008 but has yet to comply with the European court’s directions in the ten years which followed. The European Commission then took Ireland back to court resulting in serious fines.

European Law states that an environment impact assessment must be carried out before  permission is granted for any project which is likely to have significant effects on the environment . No assessment was carried out before the construction of Derrybrien despite the clear European law on the matter. Construction of the wind farm in 2003 caused a massive landslide which killed thousands of fish and severely damaged the surrounding environment. Following this, Ireland was taken to court in 2008 and lost.

Ireland was then given two months to do an environmental impact assessment on the land. The State came up with a draft plan to carry out a non-statutory assessment but even this came to nothing. Ireland was granted extra time by the EU with December 2016 as the  final deadline but still no action was taken.

The CJEU this year took the Ireland back to court, on grounds that Ireland had not made any significant effort to carry out an environmental impact assessment of the project nor made any concrete plans to do so. They decided that the delay in complying could not be justified and there was no excuse for the inaction.

Ireland argued that they had had no power to direct the company (which is publicly owned) in ownership of the land to carry out the assessment, citing that a judgement cannot affect third parties when they are not heard in proceedings. They also argued that the measures that Ireland was required to take were never specifically identified, meaning that their steps toward a non-statutory assessment technically complied with the 2008 judgement. However, the court rejected these arguments and decided in favour of the European Commission.

A large financial penalties was imposed on Ireland to prevent the recurrence of similar infringements on EU law. The court found that the best way to do this would be t with a lump sum, followed by a significant daily amount as long as the breach continued. This was done to encourage Ireland to carry out the long-awaited environmental impact assessment. The final amount decided on by the courts was a lump sum of €5,000,000 followed by a periodic penalty payment of €15,000 per day from the date of delivery of the present judgement until the date of compliance with the 2008 judgement.

It is clear that all of the expense could have been avoided if Ireland ensured that the wind farm operator, which it owns, met its responsibilities and conducted an environmental impact assessment.

This post was authored by Daire Murray, a TY student from Loreto Kilkenny, who spent the week working with us.

FP Logue secures social welfare payments for client who refused to apply for Public Services Card

FP Logue received confirmation recently that the Department of Employment Affairs and Social Protection has agreed to pay social welfare benefits to a client who refused to register for the Public Services Card (PSC).

Our client had presented a passport and proof of address with an application for benefits and received a formal decision from the Deciding Officer that the payments would be available for collection in the local post office in due course.

Some days later our client was informed by a member of staff that the approval had been a mistake and that the payments would be suspended until such time as an application for the PSC was processed. Our client refused to make the application and asked for written reasons to be provided. The position was subsequently confirmed in writing that payments were suspended until a PSC application was processed.

We wrote to the relevant official on our client’s behalf pointing out that there was no requirement under social welfare law for an applicant to register for the PSC and that the payment had been unlawfully suspended and that our client had been grossly misinformed as to their rights by officials.

We have now received confirmation that payments have been released confirming our assertion that a PSC registration is neither mandatory nor compulsory for the purposes of accessing social welfare benefits.

Introducing #InfoLaw2019 – 22 March

It’s nearly a year since GDPR came into force and we are beginning to see what the world looks like post-GDPR. Just yesterday we saw the French regulator hand out a €50 million fine to Google and it seems there is more to come. We are seeing the rise of the non-profit complainant taking on cases for individuals. DPOs are beginning to find their feet and the first cohort is starting to experience what it is really like to hold this position in the public sector and large organisations.

There are still many questions on people’s minds:

  • Will there be an avalanche of litigation?
  • What is the DPO really supposed to do?
  • Will the GDPR change the way the State and the public sector handle personal data?
  • How are big organisations adapting?

#InfoLaw2019 you can find out the answer to these questions and more from some of Ireland’s leading lawyers, DPOs and industry professionals. We’ll give more details of speakers and topics in the next week or two, check our website for more details or you can order your discounted early-bird ticket below:

Data controllers at risk if they presume mixed personal data can’t be accessed by data subjects without third party consent

Privacy written in tiles

The biggest data protection myth out there is that third party personal data cannot be disclosed under a subject access request that covers “mixed” personal data, i.e. information that contains personal data of more than one individual.

If I had €10 every time a data controller made this claim I wouldn’t need to write this update because I’d have already retired a rich man and would be sitting in my vineyard in the South of France enjoying the good life.

The reality is that there is no presumption against disclosure of third party personal data in a mixed access request. Obviously third parties have privacy rights which cannot be adversely effected but that doesn’t mean they have to consent to disclosure. A data controller has to balance competing interests and make a decision in line with the GDPR, that’s what the law says.

While it may be a difficult to decision to make in some circumstances, generally there should be no real issue since the GDPR facilitates the processing of others people’s personal data as long as it is lawful, responding to a subject access request is no different.

Litigation risk

Data controllers are risking legal proceedings or complaints to the Data Protection Commission if they wrongly assume that all third party data must be purged when responding to subject access requests.

In many situations the rationale for the subject access request is to access information about other people, for example family members or professionals and in those circumstances data subjects may have a very strong legitimate interest in accessing mixed data.

B v General Medical Council

The English Court of Appeal considered this issue in the case of B v General Medical Council [2016] EWCA Civ 1497 which concerned a request by a patient to access a report prepared by the General Medical Council after the patient had complained about his treatment by a doctor. The doctor objected to the release of the report saying it contained both his and the patient’s personal data and therefore his right of privacy prevented the report being released to his former patient.

The General Medical Council nevertheless decided that on balance the rights of the patient favoured releasing the report to him. The doctor successfully appealed to the High Court but that appeal was overturned in the Court of Appeal on the basis that there is no presumption in favour of refusing access to mixed data and the data controller is best placed to make that evaluation and in this instance had done so correctly and lawfully.

Data controllers need to take heed

This case shows that data controllers have a wide margin of discretion but nevertheless have to weigh up the competing interests when handling a subject access request for access to mixed personal data. There is no presumption that mixed data must be refused or that the third party data subject must consent to release.

Any data controller that handles a subject access request based on these presumptions risks litigation or a complaint to the Data Protection Commission.

This article was also published on LinkedIn